A Hungry Botnet Is Feeding Off Old Ruby On Rails Bug

Ruby goes off the rails as old flaw that users should have patched is exploited in the wild

A five-month-old vulnerability in Ruby on Rails is being exploited to rope servers into a botnet, even though a patch was issued not long after the bug emerged.

The flaw, which is now only resident on old versions of the framework, lies in the XML parsing functionality and could be exploited just by making a request to an application based on Ruby on Rails.

Security researcher Jeff Jarmoc found malicious actors were throwing a C source file called k.c at vulnerable servers, forcing them to join an Internet Relay Channel (IRC) and become part of a simple, yet potentially troublesome, botnet.

How the botnet works

“It sets up an IRC bot, which connects to either cvv4you.ru (currently 188.190.124.81) or the bare IP 188.190.124.120 and joins the channel #rails,” Jarmoc explained. “Functionality is limited, but includes the ability to download and execute files as commanded, as well as changing servers. There’s no authentication performed, so an enterprising individual could hijack these bots fairly easily by joining the IRC server and issuing the appropriate commands.

“In short, this is a pretty straightforward skiddy exploit of a vulnerability that has been publicly known, and warned about, for months,” he wrote.

The big concern is that IT teams have not updated their systems. Sysadmins could be to blame but business processes may also be a serious issue preventing patching. Tal Be’ery, Imperva web research team leader, said the failure to patch would have been caused by a variety of issues.

“Why didn’t the exploited servers owners patch their server, although they had at least four months to do so?” he asked. “It could be any of these reasons:

The admin’s didn’t know about the vulnerability or patch.

There is not an automated patching system.

The admin wanted to install the patch but were prevented from doing so, due to development team requirements.